the war against fraud & abuse: are we winning? · the war against fraud & abuse: ......

Dave Cotton, CPA, CFE, CGFM

Cotton & Company LLP

Alexandria, Virginia

www.cottoncpa.comp

Fiscal Officers of Colleges and Universities - State Supported

November 13, 2009

The War Against Fraud & Abuse: Are We Winning?

DAVID L. COTTON, CPA, CFE, CGFM COTTON & COMPANY LLP CHAIRMAN

Dave Cotton is chairman of Cotton & Company LLP, Certified Public Accountants. Cotton & Company is headquartered in Alexandria, Virginia. The firm was founded in 1981 and has a practice concentration in assist-ing United States Federal and State government agencies, inspectors general, and government grantees and contractors with a variety of government program-related assurance and advisory services. Cotton & Company has performed grant and contract, indirect cost rate, financial statement, financial related, and performance audits for more than two dozen Federal inspectors general (including the Department of State, the United States Agency for International Development, and the Millennium Challenge Corporation) as well as numerous other Federal and State agencies and programs. Cotton & Company’s Federal agency audit clients have included the U.S. Government Accountability Office, the U.S. House of Representatives, the U.S. Small Business Administration, the U.S. Bureau of Prisons, the Millennium Challenge Corporation, and the U.S. Marshals Service. Cotton & Company also assists numerous Federal agencies in preparing financial statements and improving financial management and accounting systems. Mr. Cotton received his BS in mechanical engineering (1971) and an MBA in management science and labor rela-tions (1972) from Lehigh University in Bethlehem, PA. He also pursued graduate studies in accounting and auditing at the University of Chicago, Graduate School of Business (1977 to 1978). He is a Certified Public Accountant (CPA), Certified Fraud Examiner (CFE), and Certified Government Financial Manager (CGFM). Mr. Cotton is presently serving on the Advisory Council on Government Auditing Standards (the Council advises the United States Comptroller General on promulgation of Government Auditing Standards—GAO’s yellow book). He is a member of the Advisory Council of the Academy for Government Accountability. He is also a member of the advisory board of the Institute for Truth in Accounting. He served on the Institute of Internal Auditors (IIA) Anti-Fraud Programs and Controls Task Force and co-authored Managing the Business Risk of Fraud: A Practical Guide. He served on the American Institute of CPAs Anti-Fraud Task Force and co-authored Management Override: The Achilles Heel of Fraud Prevention. He is the past-chairman of the AICPA Federal Accounting and Auditing Subcommittee and has served on the AICPA Governmental Accounting and Auditing Committee and the Government Technical Standards Subcommittee of the AICPA Professional Ethics Executive Committee. Mr. Cotton served on the board of the Virginia Society of Certified Public Accountants (VSCPA), and on the VSCPA Litigation Services Committee, Professional Ethics Committee, Quality Review Committee, and Governmental Accounting and Auditing Committee. He is member of the Greater Washington Society of CPAs (GWSCPA) and is serving on the GWSCPA Professional Ethics Committee. He is a member of the Association of Government Accountants (AGA) and is past-advisory board chairman and past-president of the AGA Northern Virginia Chapter. He is also a member of the Institute of Internal Auditors and the Association of Certified Fraud Examiners. Mr. Cotton has testified as an expert in governmental accounting and auditing issues and fraud issues before the United States Court of Federal Claims and other administrative and judicial bodies. Mr. Cotton has spoken frequently on professional ethics and auditors’ fraud detection responsibilities under SAS 99, Consideration of Fraud in a Financial Statement Audit. He also has been an adjunct instructor at the Inspectors General Auditor Training Institute (Auditing the Federal Contracting Process and Contract and Procurement Fraud) and currently teaches at the George Mason University Small Business Development Center (Fundamentals of Accounting for Government Contracts).

Fiscal Officers of Colleges and Universities - State Supported November 13, 2009

[email protected] 1

Case Study

Mother of All Pyramid Schemes

How important is the job we do as auditors?

When people make a decision on whether to When people make a decision on whether to

invest, they do look to see that there was an

independent auditor's report and whether or not it

was objective and whether or not it basically laid

out the strength of the company

out the strength of the company. --Rockland County District Attorney Thomas Zugibe


[email protected] 2

Who is Zugibe talking

about?

about?

U S says auditor "sold his license" to Madoff

March 18, 2009

U.S. says auditor sold his license to Madoff

• U.S. Attorney's Office in Manhattan says Friehling "not charged

with knowledge of the Madoff Ponzi scheme" but is accused of

deceiving investors by falsely certifying he audited Madoff

financial documents and helping "foster the illusion" Madoff was

l iti t i t

a legitimate investor.

• SEC says Friehling and his firm "did not perform anything

remotely resembling an audit" or try to confirm that stocks

Madoff purportedly bought for customers even existed.


[email protected] 3

• Authorities say Friehling failed to conduct independent

March 18, 2009

Authorities say Friehling failed to conduct independent

verification of Madoff operation's assets, review sources of its

revenue including commissions or examine a bank account

through which billions of dollars of client funds flowed.

• Friehling's and his family's personal accounts at Madoff firm

had an accumulated balance on November 30 2008 of more

had an accumulated balance on November 30, 2008 of more

than $14 million, and withdrawals from the largest of these

accounts totaled over $5.5 million since 2000, the SEC said.

• SEC says Friehling took steps to hide his investments with

March 18, 2009

SEC says Friehling took steps to hide his investments with

Madoff, replacing his own name on his account with his wife's

name and later renaming it the "Friehling Investment Fund" to

try to conceal his conflict of interest.

• Friehling and his firm received $186,000 a year in fees for

providing the purported auditing work to Madoff firm along

providing the purported auditing work to Madoff firm along

with bookkeeping and tax services for the confessed swindler

and various Madoff family members, SEC says.


[email protected] 4

Friehling told the AICPA that hisFriehling told the AICPA that his

firm did not do any audits—thereby

evading any peer review

requirements

q

It sounds like he was telling the truth

Winning the War Against Fraud & Abuse

Should auditors be expected to find fraud?

If not auditors then who? If not auditors, then who?

How about management?

How about “those charged with governance”?

Maybe the government should do it?

How about more standards?


The Answer


[email protected] 5

The four possible audit outcomes with respect to fraud …

1. There was no material fraud

2. There was material fraud, and the auditors discover the fraud

3. There was material fraud, and the fraud is discovered through some other means after the audit is completed

the audit is completed

4. There was material fraud, and the fraud is never discovered

Chicanery

Financial statement fraud is characterized by …

False entriesChicanery

Collusion

Concealment

Cover-up

Deceit

Deception

False entries

False exculpatories

False pretenses

Falsification

Guile

Lies

Deception

Deliberate distortions

Dishonesty

Evasion

Lies

Misdirection

Misrepresentation

Trickery


[email protected] 6

Finding fraud is not an even contest

Auditors have limited powers, tight schedules, constrained budgets, high visibility, and much to try to

iexamine

Auditors begin their work unaware that a crime has been committed

Perpetrators know that a crime has been committed and how it was committed

and how it was committed

Perpetrators will take as much time and exert as much effort as necessary to avoid detection

Finding fraud is not an even contest

Perpetrators know exactly what needs to be concealed

Perpetrators know exactly who is trying to find their fraud and how they plan to go about doing it

Perpetrators will work round-the-clock to avoid detection

In most cases, the perpetrator’s desire to avoid detection far exceeds the auditor’s desire to find fraud


[email protected] 7

Here’s what the current standard (SAS 99) requires( ) q

“the auditor has a responsibility to plan and perform the audit to obtain reasonable

assurance about whether the financial statements are free of material

statements are free of material misstatement, whether caused by error or

fraud.”

Here’s what the current standard (SAS 99) requires

Fraud is a broad legal concept and auditors do notFraud is a broad legal concept and auditors do not make legal determinations of whether fraud has occurred. Rather, the auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements. The primary factor that distinguishes fraud from error is whether the

underlying action that results in the misstatement of the financial statements is intentional or unintentional.


[email protected] 8


Management has a unique ability to perpetrate fraud g q y p p fbecause it frequently is in a position to directly or indirectly manipulate accounting records and present fraudulent financial information.

… management and employees engaged in fraud will take steps to conceal the fraud from the auditors and others within and outside the organization Fraud may be

others within and outside the organization. Fraud may be concealed by withholding evidence or misrepresenting information in response to inquiries or by falsifying documentation.


Fraud also may be concealed through collusion among management employees or third partiesamong management, employees, or third parties. Collusion may cause the auditor who has properly performed the audit to conclude that evidence provided is persuasive when it is, in fact, false.

… fraud usually is concealed and management’s intent is difficult to determine

intent is difficult to determine …

… absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud.


[email protected] 9

Here’s what the yellow book requires

Whether an act is, in fact, fraud is aWhether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors’ professional responsibility. [Paragraph 7.30]

So, does it matter to auditors if a misstatement was caused by fraud

rather than error?rather than error?


[email protected] 10

Yes, according to the PCAOBAlthough any financial statement audit entails some risk that the auditor will not detect a material misstatement even when the audit has been conducted in accordance with the standards of the PCAOB [i.e. SAS 99], the risk of nondetection is likely to be higher for misstatements caused by fraud than for misstatements caused by error, since fraud usually involves deliberate concealment and may involve collusion with third parties. The auditor should,

therefore, assess risks and apply procedures directed specifically to the detection of a material, fraudulent misstatement of the financial statements. [PCAOB Release 2007-001.]

C St d P fCase Study: Performance Audit of Port of Seattle

Construction management



POS Construction Management Records are

Major Audit Findings

POS Construction Management Records are Incomplete and Disorganized.

POS Fails to Enforce Basic Contract Requirements, Resulting in Delays, Extra Costs, and an Inability to Defend Against Claims.

POS Construction Management is Vulnerable to

POS Construction Management is Vulnerable to Fraud, Waste, and Abuse.

Details of this finding included 46 specific situations

indicative of fraud

“As to the issue of fraud, it is important to note that no instance of fraud was found …”“ h P h l f f d h ld i

Port of Seattle Response

“… the Port has zero tolerance for fraud should it ever be found.”

“This performance audit found no fraud.” “The Port notes that the Performance Auditor did

not find actual cases of fraud during his investigation.”

investigation. “… the Port believes that it is not vulnerable to

fraud to the degree suggested by the Performance Auditor …”



Official Reaction to the Audit

January 7, 2008Feds open criminal inquiry into port

State audit slams port's waste Report: $97.2 million down the drain

January 7, 2008

Justice Department to investigate Port

January 8, 2008

Possible fraud at Port focus of criminal probe

Port Commission Investigation



Even when evidence of fraud is

Port of Seattle Performance Audit

Even when evidence of fraud is overwhelming, those responsible will deny the facts, attack the auditor, and demand that auditors provide “proof” of fraud.

Maybe auditors find more fraud than we realize …

The only difference between an error and fraud is intent

Intent is very difficult to prove

Auditors find lots of “errors”

Maybe some of them are really fraud



C S d D U i dCase Study: Daewoo v United States of America

Daewoo v United States

Daewoo Engineering and Construction Co., Ltd., was awarded an $88 million contract to build a 2-lane high a aro nd Babeldaop Island Rep blic of Palahighway around Babeldaop Island, Republic of Palau

Daewoo encountered weather-related delays

The road was supposed to have been completed in 2001

The road was finally completed in the fall of 2007

Daewoo submitted a $64 million claim to the Army Corps of engineers




DOJ hired Cotton & Company to help defend against the claim

We spent 3 weeks in Palau auditing the claim We spent 3 weeks in Palau auditing the claim

Daewoo’s claim contained equipment costs (about 85% of the claim), labor costs, and other costs, including the “kitchen sink”

A true “kitchen sink” claim



A true “kitchen sink” claim

Convoluted claim presentation

300+ pages

Costs for Daewoo as well as Daewoo’s 6 subcontractors

Different formats and bases

Daewoo hired a claims expert to review its l i d h d i l

claim and that expert presented an entirely different claim



Convoluted claim presentation—equipment costs

Auditing the Claim

We asked for the Excel spreadsheets that generated the many pages of equipment cost schedulesschedules

We “unhid” the hidden columns

We rearranged the columns so that they were consistent for all spreadsheets

We merged the spreadsheets into a single

We merged the spreadsheets into a single spreadsheet

We performed a “data sort” on the “Chassis No.” column



Auditing the Claim

We sought Daewoo’s explanation for the duplicated equipment

T “ ” th t th h d t i it f To “prove” that they had certain items of equipment, Daewoo’s equipment manager revealed a previously undisclosed spreadsheet



Auditing the Claim

We used this newly discovered spreadsheet to identify scrapped equipment in the claim

D li t d d d i t i th l i Duplicated and scrapped equipment in the claim totalled at least $2,020,252.



Daewoo’s Explanations

Duplicated and scrapped equipment were insignificant errors in their claimg

A Compelling Trial Exhibit




We noted that all Daewoo’s “errors” in the claim increased the amount of the claim; no errors had the effect of reducing the claim This would be athe effect of reducing the claim. This would be a remarkable coincidence in a random review of claim elements, or any means of “sampling” by auditors. See, e.g., DX 1015 (Cotton Report); DX 1015 (Cotton Supplemental Report); Tr. 17303 (McGeehin). The possibility that the inflationary ff t f E t’ d D ’ lt d

effects of Exponent s and Daewoo s errors resulted from innocent mistakes is remote.

--The Honorable Robert Hodges




ALL of Daewoo’s $64 million claim was denied

The Court entered judgment in the Government’s favor under fraud counterclaims pertaining to:

The fraud provisions of the Contract Disputes Act

The False Claims Act

The Special Plea in Fraud (Fraud Forfeiture)

Fraud in the Inducement (bait & switch) Daewoo has been ordered to pay the Government

Daewoo has been ordered to pay the Government $50,639,855.88

An additional $10-20 million in penalties (as well as debarment) is still pending

Daewoo’s appeal was ruled on in February 2009



The Compact Road, Fall 2009





SCOTUS Appeal Outcome



Our audit identified many many “errors” in

Daewoo v United StatesLessons Learned …

Our audit identified many, many errors in the claim. It took a 13-week trial to enable a federal judge to conclude that many of those “errors” were actually fraud.

Even then Daewoo continued (and continues)

Even then, Daewoo continued (and continues) to deny that it had committed any fraud.

Are auditors getting the job done?



[6/29/02]

Accounting experts say Andersen should have noticed that WorldCom

hid $3.8 billion of expenses

Are auditors getting the job done?

Not so much



How about management?

After all, we all know that it is management’s responsibility to design, implement, and maintain a system of strong internal control to prevent fraud, waste, and abuse

Yes let’s all agree that management should be

Yes, let s all agree that management should be responsible …

Quiz #1: What do all of these entities have in common?

ZZZZBest

MiniScribeBarings Bank

Arizona Arizona

Foundation for New Era

Philanthropy

Baptist Baptist FoundationFoundation



There are two types of fraud …

Misappropriation of assets (aka employee fraud)

Fraudulent financial reporting (aka management fraud)

BUT, most of the recent high-profile fraud cases have been management

fraud cases …




This is what we’re trying under Sarbanes-Oxley for publicly-traded companies

Old question when fraud happened: Where were the auditors?

New question when fraud happens: Where was the audit committee?

the audit committee?

Essentially a recognition that management cannot be trusted in all situations

Case Study: Orel Suer



Would you give your hard-earned money to this man?

May 1, 2004

Ex-Chief Of Local United Way Sentenced

Former Chief of Area United Way Sentenced to 27 Months for Fraud

Oral Suer pleaded guilty to defrauding the United Way of almost $500,000 over a 6-7 year period

He was caught in 2002

UWNCA 2001 revenue: $90,000,000



May 1, 2004


Former Chief of Area United Way Sentenced to y27 Months for Fraud

Oral Suer pleaded guilty to defrauding the United Way of almost $500,000 over a 6-7 year period

He was caught in 2002

UWNCA 2001 revenue: $90,000,000

UWNCA 2002 revenue: $19,000,000

The Suer investigation revealed another scheme: Round-Tripping Receipts

DC Area Donors

$$

United Way of the National Capital

Area:

Takes 10%

$$

United Way of Frederick, MD: takes

90%

%

Takes 10%

Takes another 10%

72.9% goes to UWNCA charities

Frederick, MD: takes 10% of the 90%81%

Charities get 72.9%72.9%



May 1, 2004


Lessons Lessons Auditors and not-for-profits need to re-evaluate their

focuses on quantitative materiality

Abuse is often the iceberg-tip that can reveal bigger problems ($60,000 to sound-proof Orel’s office mightha e been a good red flag)

have been a good red flag)

Governance matters

New Guidance for Audit Committees

FREE at: www.aicpa.org



Management Override: The Achilles Heel of Internal Control

TARGET AUDIENCE:

Those Charged with Governance

S ti A M t O id d th A dit


Section A: Management Override and the Audit Committee’s Responsibilities

Section B: Actions to Address the Risk of Management Override of Internal Controls



M i t i i Sk ti i


Maintaining Skepticism

Strengthening Committee Understanding of the Business

Brainstorming to Identify Fraud Risks

Using the Code of Conduct to Assess the

Using the Code of Conduct to Assess the Financial Reporting Culture

Cultivating a Vigorous Whistleblower Program

Developing a Broad Information and Feedback


Network Communications With Internal Auditors Communications With Independent Auditor Communications With the Compensation Committee Communications With Key Employees

Appendix: Suggested Audit Committee Procedures: Strengthening Knowledge of the Business and Related Financial Statement Risks




Too soon to tell at the SEC level …

There are about 17,000 publicly-traded companies

There are about 450,000 private companies, not-for-profits, and state/local governmental

i i M d h di

entities …. Most do not have audit committees, some do not have boards

How good is the typical non-SEC board?



The Smithsonian Board

John G. Roberts, Jr., Chief Justice of the United States Richard B. Cheney, Vice President of the United States Thad Cochran, Senator from Mississippi Christopher Dodd, Senator from Connecticut Patrick J Leahy Senator from Vermont Patrick J. Leahy, Senator from Vermont Xavier Becerra, Representative from California Sam Johnson, Representative from Texas Doris Matsui, Representative from California Eli Broad, Chairman of AIG Retirement Services, Inc. Anne d’Harnoncourt, Chief Executive Officer, Philadelphia Museum of Art Phillip Frost, former Chairman and CEO of IVAX Corporation Shirley Ann Jackson, President of Rensselaer Polytechnic Institute

Robert P. Kogod, former CEO of the Charles E. Smith Companies Walter E. Massey, President of Morehouse College Roger W. Sant, Chairman Emeritus of The AES Corporation Alan G. Spoon, Managing General Partner of Polaris Venture Partners Patricia Q. Stonesifer, President of the Bill & Melinda Gates Foundation



Can we rely on “those charged with governance” to stop fraud and abuse?

Not so much

Maybe the government should do it?

Sure, let’s let the government do it

The government’s doing a real good job at other things …

Like crime-prevention, education, emergency t b l i b d t

management, balancing budgets …

Look at the great job the SEC has done to prevent fraudulent financial reporting since 1934 …



Picture = 1,000 Words (and $65 billion)

Can we trust the government to stop fraud?

Not so much




Sure, this HAS to be the answer

We need more auditing standards and more accounting principles

Statements on Auditing Standards

100

120

20

40

60

80

0

20

19751985

19952005



Statements on Financial Accounting Standards

120

140

160

40

60

80

100

0

20

19751985

19952005

SEC Enforced Restatements by Year

7580 75

2130

40

50

60

70

615 14

10 84 3 4

1721

0

10

20

1990 1992 1994 1996 1998 2000

Source: Financial Executives Research Foundation Inc.



Restatements by Stock Exchange 1990-2000

200

250

50

100

150

200 Pink Sheets

OTC

Nasdaq

AMEX

NYSE

0

19901991

19921993

19941995

19961997

19981999

2000

Source: Financial Executives Research Foundation Inc.

Source: The Huron Report: 2004 Annual Review of Financial Reporting Matters

See: www.huronconsultinggroup.com



Source: Financial Restatements: Update of Public Company Trends, Market Impacts, and Regulatory Enforcement Activities (GAO-06-678), July 25, 2006

SASs and Financial Statements Restated

500

600

100

200

300

400

0

100

19901995

20002005

SASs Restatements



Source: Financial Restatements: Update of Public Company Trends, Market Impacts, and

Regulatory Enforcement Activities (GAO-06-678), July 25, 2006

Will adding more standards put an end to fraud?

Not so much



One more thought on all those auditing standards …

We have had 116 SASs since the ASB was f d i 1973formed in 1973

How many dealt specifically with fraud and illegal acts?

Just 5: SAS 16, 53, 54, 82, and 99 (just 2 still in effect)

effect)

So, we’ve had 111 SASs focused on finding mistakes?

One more thought on all those auditing standards …

In the Bob Kratchet, green eyeshade accounting era, maybe 111 SASs focused on finding errors was a good idea …

But, in the age of automated accounting and electronic data processing????

Maybe we COULD use a few more SASs focused

Maybe we COULD use a few more SASs focused on finding fraud

Just a thought …



The Answer:

The Answer: Comprehensive anti-fraud programs and controls

Deterring, preventing, and detecting fraud needs to be a comprehensive and concerted effort by all involved



The IIA Anti-Fraud Task Force

Chaired by Dave Richards, IIA CEO, and Ron Durkin, KPMG Forensic Partner,

Developed a comprehensive guide for organizations committed to implementation of the strongest anti-fraud measures possible

Exposed for review and comment

Vetted by endorser and supporter groups

Issued in 2008

Preventing Fraud, Waste, and Abuse

Comprehensive fraud risk management

What the COSO Framework has been to internal control, this new guide will be to fraud prevention



FREE at www.theiia.org

Written by the Anti-Fraud Task Force, sponsored by:


Institute of Internal Auditors (IIA)

Association of Certified Fraud Examiners (ACFE)

American Institute of CPAs (AICPA).

Task Force members included accountability professionals from a wide array of large, small, public,

p f f y f g , , p ,private, governmental and academic organizations and institutions.




Managing the Business Risk of Fraud: a ti l idpractical guide

Introduction Fraud Risk Governance and the Fraud Risk

Management Program Fraud Risk Assessment

F d P ti

Fraud Prevention Fraud Detection Fraud Investigation and Response

Managing the Business Risk of Fraud: a ti l id


practical guide Appendices:

Reference Material

Fraud Governance Policy

Risk Assessment Framework Sample

Fraud Prevention Scorecard

Fraud Detection Scorecard

COSO Fraud Risk Management Activities




End Thoughts

Fraud is VERY difficult to prevent

Even harder to detect

No single player in our free market system should be held singularly responsible

We ALL need to be involved in the fight



End Thoughts

We have the strongest capital market in the world and the most vigorous and generous donorand the most vigorous and generous donor community in the world.

These are the engines of productivity, prosperity and progress.

Imagine how much stronger they can be if we

g g ystamp out fraudulent financial reporting and draw more capital from totally confident investors and donors across the country and around the globe.

Fiscal Officers of Colleges and Universities - State Supported

November 13, 2009

The War Against Fraud & Abuse: Are We Winning?

Dave Cotton, CPA, CFE, CGFM

Cotton & Company LLP

Alexandria, Virginia

www.cottoncpa.com

the war against fraud & abuse: are we winning? · the war against fraud & abuse: ......

Documents